Linking the Economics of Cyber Security and Corporate Reputation Ben Brooker, Jonathan Crawford, and Barry M. Horowitz Abstract This paper deals with two aspects of breach reporting laws. The relationship between reports resulting in media attention and the corresponding impact that can have on corporations’ investment strategies for cyber security is explored. We use openly available financial data and news articles that publicize cyber breaches to derive estimates for how different companies might use the part of their cyber investment to protect their reputation. The second analysis develops elements of a framework for evaluating the effectiveness of cyber security breach reporting laws. We addresses two important questions in the assessment of breach reporting legislation: 1) How does the rate of reporting security breaches across states compare with the rate of reporting of security threats to computer operating systems?, and 2) What factors other than the implementation of breach reporting legislation effect the rate of reporting security breaches across states? KEY WORDS: Cyber security; reputation; economics; security breach JEL Classifications: C51, C82, K23, L51 B. Brooker University of Virginia, Charlottesville, VA, USA e-mail: bjb2v@virginia.edu J. Crawford University of Virginia, Charlottesville, VA, USA e-mail: jac2bp@virginia.edu B. Horowitz University of Virginia, Charlottesville, VA, USA e-mail: bh8e@virginia.edu 1 Reverse Engineering Engineering professionals frequently use top-down analytical approaches in the solving of problems. The attractive property of top-down functional development – optimized efficiency – is also its weakness. It requires the engineer to make important modeling choices early in the analysis process, when they have minimal knowledge (Valckenaers 2003). Reverse engineering is the process of analyzing a subject system to identify the system’s components and their interrelationships and create representations of the system in another form or at a higher level of abstraction (Chikofsky 1990). Reverse engineering in and of itself does not involve changing the subject system or creating a new system based on the reverseengineered subject system. It is a process of examination, not a process of change or replication (Chikofsky 1990). In this paper we use the reverse engineering methodology by using openly available data to take the actual decisions of companies and use an analytical model to uncover the implied values of the decision makers. This method can be used to provide decision makers an opportunity to reconsider their own decisions and also evaluate the values of competitors. One specific example of how reverse engineering could be used in cyber security investment decision analysis is in finding the pareto-optimal solution for investment in cyber security for reputation versus other investment uses of corporate profits. One is at a disadvantage when using a top-down analytical methodology to guide cyber security investment decisions because there is little data available about frequency of attacks and consequences and the process requires an understanding of the values of the decision makers, which is extremely difficult without insider information. However, one can use reverse engineering to analyze the actions of company decisions makers, which are openly visible to the public, to infer their implied values, assuming that their actions are rational and consistent with their industry. This paper uses reverse engineering to quantitatively evaluate the relationship between cyber security investments and reputation effects, using available data on attacks, corporate economic factors and cyber investments. 2 Background A wide variety of cyber-based crime opportunities have resulted in an evolution of various types of cyber attacks that are being used to cause other business problems that ultimately results in economic losses to individual business and the national economy as a whole (Andrijcic 2006). Certain classes of attacks can result in lasting consequences, such as loss of reputation, loss of intellectual property, legal liability, or long, substantial Internet infrastructure outages (Andrijcic 2006). Our historical efforts have focused on this set of attacks, as they are likely to result in larger economic impacts. Even with the introduction of these new forms of risk, efficient cyber security budgeting within companies and government agencies is not assured. The inefficient allocation of cyber security dollars can be attributed to three facts: 1) Regulatory legislation on cyber security is relatively new, vague, and yet to be proven effective, 2) There is yet to be a large-scale catalytic event that has demanded greater attention and concern for cyber security, and 3) There still exists a knowledge gap between executive business decision makers and IT decision makers in corporations. This paper focuses on how companies correlate cyber security and risk to their reputation, and the range of short-term effects of regulatory legislation on cyber security trends. The publication in a newspaper of a security breach could damage the reputation of companies, leading to corresponding losses of revenues. Management of the risk of a cyber security breach includes companies investing to minimize the probability of being highlighted in news articles related to a successful cyber attack. Prior to 2003, there was no federal government legislation in place that required a company to report a disclosure of private information (Hasan 2006). The federal government has since passed laws such as the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, and the Sarbanes-Oxley Act. While these Acts do not create specific cyber breach notification requirements, they did give the authority to create such requirements (Wendlandt 2004). Only recently have states begun to pass breach notification laws, which can essentially be attributed to two main events. First, in July of 2003 California became the first state to enact legislation that required companies operating within the state to report any compromise of private information to affected parties (NCSL 2007). The second event, the ChoicePoint incident in February of 2005, showed that the impacts of cyber security breaches can be large, and impact a significant number of people. The company announced that it had unwittingly sold the personal information of at least 145,000 Americans to identity thieves in 2004 2 (Waldermeir 2006). Because of this incident, ChoicePoint has incurred significant financial losses from legal and professional fees, victim notification costs, heightened cyber security investments, and damaged reputation (Waldermeir 2006). As a result states began enacting security breach notification legislation, and currently 34 states have some form of law in place (Hasan 2006). The changes in breach reporting requirements offer an important bi-product: visibility to the press. Given that the press has interest in reporting on cyber breaches, this will inherently give visibility to the public. The question we face now is how companies will invest in cyber security given its impact on their reputation and corresponding impacts on their revenues and profits. The analyses and results presented in this paper have two principal objectives: 1) We would like to be able to understand how reporting laws could effect companies’ actions with regard to cyber security investments, and 2) We look to understand the differences between various industries regarding how they relate cyber security investments and protecting their reputation. This paper also poses two important questions with respect to the assessment of breach reporting legislation: 1) How does the rate of reporting security breaches across states compare with the rate of reporting of security threats to computer operating systems?, and 2) What factors other than the implementation of breach reporting legislation affect the rate of reporting security breaches across states? We have developed an analytical method for using readily available information and monetarily quantifying the risk to reputation that a publicized security breach presents to one industry versus another. Along with this method, we have also developed a methodology that can be applied in future analyses to evaluate the effectiveness of breach reporting legislation and can assist in pinpointing legislative weaknesses across states. Understanding industry-to-industry variations in cyber risk assessment, the differences in breach reporting laws across states, and the factors that contribute to varying rates of breach reporting across industries allows one to recognize the relative impact of tighter reporting legislation across the various sectors of our economy. 3 Methodology 3.1 Reputation Model This section presents the model used to quantify a company’s perceived risk to reputation loss due to the publication of a news article revealing a security breach. Company financial data are used to estimate model parameters and calculate model outputs for companies in the financial, retail, and manufacturing industries. The reputation model illustrates how one industry perceives cyber security effects its reputation compared to another industry. This is accomplished by deriving an equation for how much of each company’s overall cyber investment might be logically allocated toward reputation, and then calculating the ratio of the allocation percentages. The allocation related to reputation is inferred from an expected value calculation that includes the likelihood of having an attack reported in the press. The variables used for this model are summarized below: β = Probability of a company being the victim of a successful cyber attack resulting in a news article within a one year time period, assuming that the company does not specifically focus on its reputation as a reason for additional cyber security investment α = Probability of a company being the victim of a successful cyber attack resulting in a news article, assuming that the company makes an additional cyber security investment that is focused on protecting company reputation P = Profit at risk due to the public visibility of a security breach V = Revenue at risk due to the public visibility of a security breach PM = Profit margin of the company C = Total annual company investment for cyber security K1 = Percent of overall cyber security spending allocated towards protecting reputation K2 = Percent of expected financial loss due to a reputation-impacting cyber attack that a company invests to avoid exposure via a news article Industries i and j, noted in the following equations represent different U.S. industries (e.g., manufacturing, banking) where i ≠ j. 3 In addition, there are a number of assumptions used for the model. The list of assumptions is as follows: 1) β is the current observed annual probability of a security breach being publicized. We assume all companies within a specific sector of the economy have the same potential for being the recipient of a security breach publication 2) The added reputation focused cyber security investment is made in the hope that no publicized security breaches will occur, or that the probability of a publicized cyber attack will be reduced to nearly zero (α=0). 3) The value of K2, the percentage of the expected reputation-driven financial loss a company is willing to pay for its reputation-based cyber protection, is the same from one company to another (i.e., we treat this in a manner similar to insurance, where rates are risk-based, and the same from one buyer to the next when the risks are the same). Using these assumptions, the following results are derived: i * Pi K1i * Ci i * Pi (1) In Equation (1) we assume that the added cyber investment made towards protecting reputation must be less than or equal to the expected value of the potential revenue at risk. We also assume that the reputation focused cyber security investment is made in the hope that no publicized security breaches will occur, so that the probability of a publicized cyber attack (αi) will reduce to zero, resulting in Equation (2). i * Pi K1i * Ci (2) We then multiply the left side of the equation by K2i to account for the percentage of expected loss that a company is willing to spend in order to reduce risk. Accordingly, the inequality becomes an equality and we get Equation (3). K 2i * i * Pi K1i * Ci (3) Next, we divide both sides of the equation by PMi. Dividing the profit at risk, Pi, by the profit margin, PMi, results in the revenue at risk, Vi, as shown in Equation (4). K 2i * i * Pi K * Ci 1i PM i PM i K 2i * i * Vi K1i * Ci (4) PM i We then bring the variables Ci and PMi to the left side of the equation so that we may isolate K1i. In addition, we adjust the equation for easier reading, resulting in Equation (5). K1i K 2i * i * PM i * Vi (5) Ci We can now use Equation (5) to compare industry i to industry j, where i ≠ j. This comparison is shown in Equation (6). K1i i PM i C j K 2i Vi * * * * (6) K1 j j PM j Ci K 2 j V j As indicated above, we assume that the value of K2 is the same from one company to another, so the K2 ratio become equal to “one”, resulting in Equation (7). K1i i PM i C j Vi * * * (7) K1 j j PM j Ci V j 4 We then collect data for applying Equation (7) to provide an evaluation of the relative emphasis different sectors of the economy should logically place on reputation as related to cyber security. 3.2 Framework for Law Evaluation Here we introduce elements of a framework that can be used in the assessment of the effectiveness of cyber security breach reporting legislation. The framework consists of two main analyses: 1) A correlation analysis to uncover any factors that may attribute to the rate of breach reporting across states, and 2) A rate comparison analysis that compares the rates of breach reporting to the rate of software companies developing various operating system security patches (in response to identified exploitation possibilities). The results of the analyses are then given multiple interpretations, and conclusions are drawn. Before going into further detail about the analyses conducted, a number of terms must be defined. First, a breach is defined to be an event in which computerized personal information was, or is reasonably believed to have been, acquired by an unauthorized person. It does not include denial of service or other attacks that do not satisfy the definition. A publicized breach is a breach that is made public by reporting to consumer reporting agencies, law enforcement, the media, or directly to the individuals affected. Personal information is defined as the first name or initial and last name of an individual, with one or more of the following: 1) Social Security Number, 2) driver’s license number, 3) credit card or debit card number, or 4) a financial account number with information such as PINs, passwords or authorization codes that could gain access to the account (Proskauer 2007). In the context of this paper, a breach reporting law is defined as a state law that requires handlers of personal information to notify all affected parties in the event of a breach that compromises the parties’ personal information. Finally, in the rate comparison analysis, the term threat is used rather than vulnerability when describing security patches. The assumption is made that only critical or high level vulnerabilities are true threats that can lead to a breach of security for companies and government agencies, so they are the only patches included in the counts. This framework for effectiveness evaluation offers three important views of the current state of cyber security breach reporting. First, a simple state-by-state count of publicized security breaches is made to offer a very general, macro view of breach reporting. Next, the correlation analysis aims to identify any factors that may contribute to different rates of reporting across states. The number of publicized breaches is compared to factors such as the existence of a law in a state, the population of a state, the number of businesses in a state, and the size of newspaper distributions in a state. Finally, the rate comparison analysis offers a view of how breach reporting and corporate responsibility compare to the hacking threat posed to the most used operating systems. If there are major disparities in rates, hypotheses can be made about how companies are acting with respect to the actual level of risk in their cyber security systems. 3.3 Data The company data to develop results for the cyber risk analysis were collected from various sources. Morningstar and Yahoo Finance were used to collect data on revenue and profit margin for companies (Vi, PMi). Overall cyber security spending for each company (Ci) was approximated using data from Forrester Research, a research institution that focuses on technology trends (Kark 2006, Bartels 2006). The 2006 IT spending forecasts as percentages of revenue, available from Forrester publications, were multiplied by the 2006 IT security spending forecasts, also available from Forrester publications, as a percentage of IT spending. The resulting percentages were used as estimates of cyber security spending as a fraction of company revenue and the industry in which the company resides. In order to estimate the likelihood of a successful cyber attack, we dealt with companies with 5,000 or more employees as the set of companies of interest. The probability of a company with greater than 5,000 employees having a published security breach in a one year period was calculated by dividing the total number of companies in each industry with at least one newspaper article published in a one year span by the total number of companies in that industry. The number of security breach articles was acquired for October 1, 2005 to September 30, 2006, from the article databases PrivacyRightsClearingHouse.org and Attrition.org. The total number of companies in the U.S. with over 5 5,000 employees, on a sector by sector basis, was taken from the U.S. Census Bureau. We define a sector to be a subset of an industry (i.e., one company can be in multiple sectors). Because our industry definitions for news articles differed slightly from the Census Bureau’s for sectors, we depended on sector counts rather than entire industry counts. In some cases, the Census Bureau would specify industry company counts for companies with over 5,000 employees, but only specified sector company counts for companies with greater than 1,000 employees. To account for this difference, we calculated the proportion of companies with over 1,000 employees in an industry that were from a given sector by dividing the number of companies with over 1,000 employees in the sector by the number of companies with over 1,000 employees in the industry (see Equation (8)). Given only the number of companies with over 5,000 employees in an industry, we assumed that the sector proportion remained constant and multiplied the percentage by the industry count to get the number of companies with over 5,000 employees in a sector (see Equation (9)). Ei # Companies in Sectori ( 1K Employees) (8) # Companies in Industry F ( 1K Employees) # C in Sectori ( 5K Employees) Ei *#C in IndustryF ( 5K Employees) (9) With respect to the framework analyses, additional data pertinent to cyber security breach reporting legislation had to be collected and the accessibility and availability of data had to be determined. As there is no central, federal or state-sponsored database of reported security breaches, the third-party reporting sites used for the cyber risk analyses, PrivacyRightsClearinghouse.org and Attrition.org, had to be used to gain an estimate of the true rate of breach reporting across states. To conduct the correlation analysis, state statistics and information were taken from the Census Bureau. Finally, to conduct the rate comparison analysis, the vulnerability patch rates of various operating systems were taken from the National Vulnerability Database. 4 Reputation Analysis Results The reputation analysis results are presented in three ways: 1) Reputation-based financial loss due to a news article, independent of the details of the breach, 2) Reputation-based financial loss due to a news article when the breach being reported only impacts customers for the company’s products and 3) Reputation-based financial loss due to a news article when the breach being reported only impacts company employees and supply chain partners. The first representation assumes that all published articles mentioning a security breach will have a negative effect on reputation, regardless of the consequences of the breach or the effected parties of the breach. The second representation assumes that only articles mentioning security breaches that effect customers of the company’s products will have a negative effect on reputation. The third representation assumes that only articles mentioning security breaches that effect supply chain partners, partner companies, and employees effect reputation negatively. The results for each representation are presented in graphs in Figures 1, 4 and 5. The ‘betas’ are estimates of the β’s in Equations (1) through (7), the probability of a company being the victim of a successful cyber attack resulting in a news article in a one year time period, assuming no added investment allocated for reputation effects. 6 Fig. 1. This graph shows that the finance industry’s β is much larger than that of the retail and manufacturing industries. This means that, according to available data, companies in the finance industry have a significantly higher probability of having a publicized security breach than companies in the retail and manufacturing industries. After the β’s were calculated, they were used in the calculation of the K1 ratios. Three industry comparisons were made: finance versus retail, finance versus manufacturing, and manufacturing versus retail. A comparison of industry i versus industry j was made by dividing K1i by K1j, as shown in Equation (7) and assuming that the ratio of revenues at risk is one. The results of the K1 ratios are presented in Figure 2. Fig. 2. This graph shows the K1 ratios calculated using β values of the industries. For simplicity, the V ratios are assumed to be equal to one. To account for the lack of data available for the manufacturing industry in the customer analysis (i.e., no security breaches impacting customers were published for the industry), we combined the retail and manufacturing industries, calculated a β, and calculated the K1 ratio for the finance industry versus the combination of the two industries. For the sake of simplicity, the V ratios are set to one in Figure 2. Below in Figure 3, the V ratios act as the independent variable and the K1 ratios are computing for different levels of V ratios. It is likely that the K1 ratios and V ratios are positively correlated, meaning that a high K1 ratio will be accompanied by a V ratio greater than one. Therefore, it could be assumed that the high K1 ratios presented in the coming sections are in actuality greater, translating to an even greater bias in reputation-based cyber investment. K1 Ratios with V Ratio as Independent Variable 70 60 Unbiased - FvsR Unbiased - FvsM Unbiased - MvsR Customer - FvsR Customer - FvsRM SupplyC - FvsR SupplyC - FvsM SupplyC - MvsR K1 Ratio 50 40 30 20 10 0 0 1 2 3 4 5 V Ratio Fig. 3. This graph shows the K1 ratios calculated with the V ratios as the independent variable. 4.1 Results - Unbiased Reader In the analysis of the reputation-based financial loss due to a news article, independent of the details of the breach, the finance industry has a significantly larger β (.0648) compared to the retail (.0111) and manufacturing (.0110) industries (Figure 1). The greater likelihood of having a publicized security breach has an impact on the K1 ratio results. As shown in Figure 2, the finance industry investment profile derived from Forrester data infers that a greater percentage of its cyber budget would logically be allocated to protect against the negative reputation effects of a publicized security breach than for the other two 7 sectors. More specifically, it appears that the finance industry should allocate 6.72 and 3.37 times more of its cyber budget toward reputation impacts than the retail and manufacturing industries, respectively. We may also infer that manufacturers should be more concerned with reputation effects of publicized security breaches than retailers, allocating twice as much of their cyber budget to protect their reputation. 4.2 Results – Customers In this analysis, the finance industry’s β again dominated the other industries due to the higher volume of publicized cyber security breaches. A complication arises as the manufacturing industry does not experience a publicized security breach during the one year period. To account for this, we combine the data for the retail and manufacturing industries so that a comparison can be made. The finance industry has the highest β of .0605, compared to the retail industry’s value of .0093 and the manufacturing/retail industry’s value of .0043 (Figure 4). The results of the K1 ratio calculations are similar to those of the unbiased reader analysis. As shown in Figure 1, the finance industry should invest a greater percentage of its cyber budget to protect against the negative reputation effects of a publicized security breach when the breach being reported only impacts customers for the company’s products. More specifically, the finance industry should invest 7.52 times more than the retail industry. When the data are combined, we find that the finance industry should invest 11.01 times more than the retail and manufacturing industries combined. Fig. 4. This graph shows that, according to available data, the finance industry has a greater likelihood of having a publicized security breach that would influence customers. Manufacturing and retail have a combined β because, during the one year span, the manufacturing industry did not experience a publicized security breach that effected customers. 4.3 Results – Supply Chain We see far different results in this analysis, as the manufacturing industry has a larger β value (.0110) than the finance (.0086) and retail (.0019) industries (Figure 5). This change in the likelihood of having a publicized breach for each industry gave a completely different view of reputation concerns. As shown in Figure 1, the manufacturing industry allocates 11.95 times more of its overall cyber security budget than the retail industry does toward reputation protection in its supply chain. Because the K1 ratio for finance versus manufacturing is less than one, it can be inverted to reveal that manufacturers will be willing to allocate twice as much of its budgets as financial institutions to protect against reputation-based loss. These results are reasonable – manufacturers, who depend greatly on supply chain partners and whose customers are often other companies, are willing to invest more to protect their reputation with their partner companies and employees. 8 Fig. 5. This graph shows that, according to available data, the finance and manufacturing industries have a greater likelihood of having a publicized security breach that would influence supply chain partners, business partners, or employees. 5 Framework Results 5.1 Breach Count Analysis The analysis begins with a simple count of the number of breaches reported in 2005 and 2006. In 2005 there were a total of 143 reported cyber security breaches in the United States, and 46% of states had some form of cyber security breach reporting legislation. As shown in Table 1 and Figure 6, nearly half of the publicized breaches involved colleges and universities, with financial institutions, state agencies, federal agencies, and medical institutions also having high counts. When a state-by-state view is taken of the breach counts, California dominated other states with approximately 23% of the total breaches reported (see Table 2). Along with California, Ohio, Georgia, New York, Colorado, Texas, North Carolina, Michigan, Iowa, Massachusetts, and Washington D.C. accounted for 70% of the total breaches reported. Out of the 143 reported security breaches, 72% were reported in states that had enacted cyber security breach reporting legislation. Table 1 2005 Cyber Security Breach Count by Industry . 9 Table 2 2005 Cyber Security Breach Statistics by State . The next year in 2006, there were a total of 319 reported cyber security breaches, an increase of 123% from 2005, and 60% of states had enacted some form of legislation. As shown in Table 3 and Figure 7, colleges and universities still saw the greatest percentage of publicized breaches; however, the growth rate of reported breaches in state agencies, federal agencies, financial institutions, and medical institutions was greater than that of colleges and universities. When a state-by-state view is taken of the breach counts, California breaches accounted for the greatest percentage of any state with 13.5% of the total publicized breaches (see Table 4). The reported breaches were more evenly spread out among states in 2006, with the top 11 states only accounting for 60% of total breaches. North Carolina, Iowa, Michigan, and Massachusetts dropped out of the top ten, and Virginia, Washington, Florida, and Illinois entered with significant increases from the prior year. 10 Table 3 2006 Cyber Security Breach Count by Industry . Table 4 2006 Cyber Security Breach Statistics by State . 11 Across the fifty states and the District of Columbia, 41 states saw an increase in the number of publicized security breaches from 2005 to 2006, six states saw no change in the number of breaches, and only Georgia, Nevada, Hawaii, and Missouri saw a decrease. There were 23 states that had legislation in place prior to 2006, and 19 of them saw an increase in the number of reported cyber breaches from 2005 to 2006. Eight states enacted breach reporting legislation in 2006, and the total number of reports among them doubled from 2005 to 2006. Of the eight states, all saw an increase in breach reports with the exception of Idaho, which remained at one breach. The 20 states, and the District of Columbia, which had no breach reporting laws in place prior to 2007, saw the greatest percentage increase. Fifteen of the states saw an increase in reports from 2005 to 2006, and the total number of reports among them increased nearly 300%. For the purposes of this paper, disclosures of personal information can be divided into two categories: 1) Disclosures involving breaches of data by hackers outside of the organization, and 2) Disclosures involving breaches of data by insiders, lost computers and hardware, and stolen computers and hardware. In 2005, only 34% of reported breaches were of the first category, and of those reported breaches, 80% were reported by colleges and universities (see Table 5). An increase in the number of hacker reports was seen in 2006, but the number of hacker reports as a percentage of the total number of cyber reports decreased to just below 19% (see Table 6). This is potentially a positive finding, as a rise in the effectiveness of cyber security applications could be attributing to the slower rate of increase of reports. However, this could also be discouraging if the slower rate is due to company’s withholding information on hacker attacks. Table 5 2005 Outside Hacker Breach Report Count by Industry . Table 6 2006 Outside Hacker Breach Report Count by Industry . Before any assumptions can be made, an analysis must be conducted to uncover any factors that may contribute to a state’s level of cyber security breach reports. For example, one would not want to automatically assume that California has more cyber security breach problems than Iowa because it has eleven times as many reported breaches. There are other factors, such as state population, the number of businesses within a state, and state newspaper distribution that could affect the number of breaches reported. Next, a correlation analysis will be presented in an effort to uncover these factors. 5.2 Correlation Analysis To conduct the correlation analysis, a number of state statistics were taken from the Census Bureau. Other quantitative and qualitative variables could be used in future analyses, but the variables used 12 in this paper are state population, state median income, state newspaper distribution, total number of firms within a state, and the existence of a breach reporting law within a state. Factors were considered strongly correlated when the correlation was greater than or equal to 0.80. The results of the correlation analyses for 2005 and 2006 are given in Table 7. In 2005, there were strong correlations between state population and the number of reported breaches (0.82), and the number of firms and the number of reported breaches (0.83). This is not surprising, as it seems logical that a greater population would lend to a greater number of businesses, which would lend to a more opportunities to experience a cyber breach. The existence of a breach reporting law did not have a significant correlation (0.31) with the number of breaches. Table 7 Correlation Analysis Results . In 2006, there was an even greater correlation between state population and the number of reported breaches (0.86), and the number of firms within a state and the number of reported breaches (0.87). Also, there was a significant correlation between the number of newspapers in circulation and the number of reported breaches (0.85). This is a logical finding, as one would assume that state population would be positively correlated to the number of newspapers in distribution. As in 2005, there was low correlation between the existence of a breach reporting law and the number of reported breaches in a state (0.21). To take a closer look at the lack of correlation between the existence of a breach reporting law and the number of reported breaches in a state, the details of individual laws had to be examined. One factor that could be an important disparity between laws is the requirement of a company to notify a consumer reporting agency when a breach of security occurs, rather than just the affected parties. However, when analyzed, no correlation was found between requiring notification to consumer reporting agencies and the number of reported breaches in a state (0.21). In fact, only 36% of the total attacks reported were from states that required a consumer reporting agency notification. This does not, however, indicate that the requirement of a company or government agency to report to a central body is of no value. This requirement would at least offer more visibility to the public and more accessibility of data to researchers, specifically if a public database of reported breaches was created. Thus far, we have shown how simple correlation analyses can be used to make inferences about the effectiveness of breach reporting laws. We have not, however, developed a framework to evaluate the performance of companies with respect to state breach reporting laws. The next section details how cyber security breach reporting rates and operating system vulnerability patch rates can be analyzed to infer how effective companies’ cyber security applications are at protecting their information. 5.3 Rate Comparison Analysis To conduct this analysis, the overall count of reported cyber security breaches was taken and divided according to industry, as seen in Tables 2 and 4. Then, because we are only analyzing threat patch rates, we are only concerned with reports that involve breaches of security by hackers outside of the company or government agency. Thus, we offer counts of only these breaches in Tables 5 and 6. We then compare these rates to the rates of security threat patch rates for various operating systems predominantly used by the given industries, which are taken from the National Vulnerability Database. The counts of 13 security threat patches were only of patches of “critical” or “high” severity, as we made the assumption that highly severe threats would be of greatest concern to companies and government agencies. There were two main limitations faced when collecting data for this analysis. First, because the breach reporting laws are still in their formative years, there is limited data on outside hacker breach reports. This means that the breach reporting rates may be subject to high uncertainty. Second, the rate of security threat patches is not a proven, precise representation of the actual cyber threat posed to companies and government agencies. However, there is no precise way to realize the actual level of cyber threat in a network, and we believe that the patch data is sufficient for the developmental stages of an evaluation framework. Due to these limitations, we will simply offer an example scenario of how this data could be used. If one were to have access to information on the actual usage of operating systems within an industry, they could apply the data to this framework to gain a better understanding of how industry reporting and actual threat rates compare. For illustrative purposes, we analyze colleges and universities. From 2005 to 2006, colleges and universities saw outside hacker breach reports drop from 39 to 27, a decrease of 31%. If one were to assume that educational institutions predominantly use a Microsoft operating system, we would see from the National Vulnerability Database data that the OS saw an increase of 32% (71 to 94) in critical patches from 2005 to 2006. Although this is not all-telling, one could make a number of inferences from this information. One possible explanation for the difference in rates is that cyber threats are being patched in a timelier manner across all universities and colleges, translating into better cyber protection for users of their services. Alternatively, however, educational institutions could be withholding breach information or reporting hacker breaches as another category of cyber breach, as reporting one may have more negative repercussions than reporting the other. A second, similar example can be made of the finance industry. From 2005 to 2006, financial institutions saw a 400% increase of outside hacker breach reports from one to five. One could make the assumption that UNIX is the predominantly used operating system in the industry, in which case we would see no change in vulnerability patches as the National Vulnerability Database reports one patch for both 2005 and 2006. Again, this data is not all-telling, but a number of hypotheses could be formed. One possible explanation for the rate disparities is that financial institutions are not patching in a timely manner and multiple institutions are being affected by the same vulnerability. Another possibility is that, because state breach reporting laws have existed for such a short period of time, companies are just beginning to adjust to legislative compliance. Before any conclusions can be made, one must have an understanding of what is at stake and what the rationale is for educational institutions to report or withhold information on cyber security breaches. Over time, as more data becomes available, more substantial analyses can be performed to gain an improved understanding of the impact of reporting laws. 6 Conclusion The analyses we have presented are just two of many that could be conducted on openly available data. As time goes on, the reporting laws for states will allow trend analysis as well as single year analysis. In addition, since the reporting laws will be a primary source of information for news reporters, analyses can be done to better understand the relationships between cyber events and reporting. Our results lend support to the hypothesis that a financial institution has greater concern about protecting against reputationbased financial loss due to publicized security breaches than a retailer or a manufacturer. It also supports the idea that companies that are closer to the end customers are likely to care more about negative publicity than suppliers to those companies. More specifically, our results show that the manufacturing industry should be more concerned over protecting against the publicizing of cyber breaches that impact employees and supply chain partners, while the finance industry is concerned over protecting against the publicizing of all cyber breaches, regardless of what parties are impacted. Judging from our results, government and industry policy makers should take into account that it is very likely that different sectors of the economy will have different responses to certain cyber policies. The findings presented above would point to the likelihood that reporting laws would stimulate banks to increase security investments in areas such as customer identification theft, while manufacturers might be stimulated to invest in data encryption to reduce the likelihood of business sensitive data being stolen. If companies are going to have concerns about their reputation, they will essentially have two ways to deal with it. The reputation-based financial effects of a publicized security breach can be seen as a 14 function of the actual attacks, the reporting of those attacks by law, and the reporting of those attacks by the media. More specifically, using a Bayesian probability analysis, the probability of experiencing a negative reputation-based financial effect due to a publicized cyber breach is equivalent to the product of the probabilities of these three factors. We assume that companies cannot control the media and, therefore, can only reduce reputation-based financial effects by either decreasing the probability of an attack or decreasing the probability of an attack becoming visible to the public. Reducing the probability of an attack and the probability of an attack becoming visible can be accomplished by increasing the level of cyber security investment made towards protecting reputationbased impacts. However, it is possible that reducing visibility will prove to be less costly to companies if methods other than increased investment are used, such as avoiding the reporting of security breaches. Policy makers must be wary of the potential for companies to cover up cyber security breaches instead of making additional cyber security investments. For example, a stolen lap top with important, unprotected information stored in its memory can be viewed as a cyber security issue or as a stolen property issue, depending on a company’s view of consequences for reporting it as a cyber event. From the results of the framework analysis, we will offer a number of recommendations that will aid future research on the topic and offer more visible, accurate information for consumers and researchers. The first recommendation for the improvement of this proposed framework is time. Because only 34 states and the District of Columbia have some form of breach reporting legislation, and many of those laws have been in place for less than two years, there is not enough data available to make any reliable conclusions about reporting trends. With time, more states will enact legislation, other states will modify legislation, companies and government agencies will adapt to breach reporting legislation compliance, and trends will be more easily identifiable. Second, a central database for cyber security breach reports must be created either on the state or national level. This database would serve two main purposes: 1) It would give greater visibility to the entire public, not just the parties directly affected by the breach, and 2) It would make data on breach reports more accessible and more reliable. The creation of a central reporting database would also call for more rigid language in state legislation; states would need to require that businesses and government agencies report to their respective databases and abandon legislation that allows bodies to report at their own discretion and only to the affected parties. While more care would need to be taken in breach reporting compliance, these changes would make for a more accurate depiction of the effectiveness of the laws. Finally, we recommend that further research be conducted on the topic of cyber threat patch rates and their relevance to the actual cyber risk posed to users. Gauging the actual level of cyber risk of operating systems is difficult because the risk is based on the level of intent of outside hackers and the number of undiscovered vulnerabilities, which is unknown. It would be of great value to know how a company’s level of cyber security, as measured by actual successful attacks compares to the level of risk implied by the patches required and patch rate for the company being evaluated, because one would then be able to differentiate between a defect in state legislation and a lack of preparedness by a company. It is important that policy makers understand that with the creation of cyber security breach reporting laws, there is a newly created problem of moral hazard. More specifically, if a company experiences a breach of security, there may be less incentive to report the breach if the actual financial effects of the breach are minimal and the financial reputation-based effects of reporting the breach are extensive. In addition, there may be incentive for a company to falsely report a cyber breach as an alternative disclosure of private information. For example, a business may experience a breach of security where an outside hacker accesses customer information; but to avoid more severe reputation-based consequences, the company may report the incident as a lost or stolen laptop. Policy makers must have a methodology set in place to somehow account for this moral hazard problem. If these recommendations are adhered to, this framework for the evaluation of cyber security breach reporting laws can be modified and improved such that a more accurate picture of the current state of cyber security in the U.S. can be painted. Once the performance of state laws have been effectively evaluated, policy makers can then take appropriate actions, such as conduct interviews with corporate decision-makers or audits of companies and government agencies, to gain a more comprehensive view. Only then can cyber security practices and legislation be accurately evaluated and effective modifications made to give better protection to personal data. References 15 A Chronology of Data Breaches Reported Since the ChoicePoint Incident. (2006). Privacy Rights Clearinghouse. San Diego, California. <http://www.privacyrights.org/ar/ChronDataBreaches.htm>. Andrijcic, E. and B. Horowitz. (2006). A Macro-Economic Framework for Evaluation of Cyber Security Risks Related to Protection of Intellectual Property. University of Virginia. Attrition.org Data Loss Archive and Database (DLDOS). <http://attrition.org/dataloss>. Bartels, Andrew. (2006, Mar. 31). US IT Spending Summary: Q4 2005 – Setting the Stage for Another Year of Moderate 7% Growth in 2006. Forrester Research, Inc. Chikofsky, Elliot and J. Cross. Reverse Engineering and Design Recovery: A Taxonomy. (1990). <http://ieeexplore.ieee.org/iel1/52/1647/0043044.pdf?isnumber=&arnumber=4304>. Client Alert: January 2007. Proskauer Rose LLP. 2007. Available: <http://www.proskauer.com>. Hasan, Ragib and William Yurcik. (2006). A Statistical Analysis of Disclosed Storage Security Breaches. National Center for Supercomputing Applications. University of Illinois at Urbana Champaign. Kark, Khalid. (2006, Oct. 4). The State of Information Security Spending – Information Security Spending Trends Downward. Forrester Research, Inc. Kiely, M. and E. Kobe, A. MacArthur, M. Polk, E. Rains, E. Andrijcic, J. Crawford, B. Horowitz. (2006, April, 14). Macro Economic Cyber Security Models. University of Virginia. Morningstar. (2006). [Online]. Available: <www.morningstar.com>. “Security Breach/Notification Legislation.” National Conference of State Legislatures. October 8, 2006. <http://www.ncsl.org/programs/lis/cip/priv/breach.htm>. U.S. Census Bureau. (2003). [Online]. Available: <www.census.gov>. Valckenaers, Paul. On the Design of Emergent Systems: An Investigation of Integration and Interoperability Issues. (2003). Engineering Applications of Artificial Intelligence, Vol 16, Iss 4. Waldermeir, Patti. ChoicePoint fined $15M by FTC. Ft.com. <http://www.ft.com/cms/s/b02019f4-8ea2-11da-b752-0000779e2340.html Wendlandt, Dan. U.S. Cybersecurity Policy. (2004). Stanford University. <http://www.stanford.edu/class/msande9siaut04/slides/cybersecurity_policy.ppt>. Yahoo Finance. (2006). [Online]. Available: http://finance.yahoo.com/ 16